Signature Systems, a vendor that provides point-of-sale (POS) systems primarily for restaurants, announced earlier this week that more than 300 restaurants, including over 200 Jimmy John’s locations, may have been compromised when malware that captures payment card data from cards swiped through terminals in certain restaurants was inserted into their system.
The breach impacts cards that were used between June 16 and August 5, 2014.
According to Krebs on Security, a well-respected security expert, Signature Systems’ “core product [may not have] met even the most basic security requirements set forth by PCI.” Krebs goes on to state that “[p]oint-of-sale vendors remain an attractive target for cyber thieves.”
This breach comes on the heels of a Secret Service warning1 last week that more than 1000 small retailers and restaurants are at risk of a data breach from a particularly virulent form of malware, and that companies should check their POS provider to ensure that there are no malware infections.
WHAT SHOULD YOU DO?
If you are a customer of Signature Systems, you should immediately consider hiring counsel to interact with Signature Systems on your behalf: if their security protocols do in fact fall below PCI standards, you will want to protect yourself in the event that your company’s information is breached as a result of their potential negligence or misrepresentations regarding their products. There may be indemnity, breach of contract, and other causes of action that you may have against them, as well.
If you are not a Signature Systems customer, you may still want to consider hiring counsel to examine your data security and data breach processes and policies to help protect you from a possible breach, and to prepare you in case one does occur. Hiring counsel before a breach occurs will:
- provide an ounce of prevention - it is cheaper to prepare and protect yourself before a breach occurs than to respond afterwards;
- ensure that an expert with your best interests at heart, not a vendor trying to sell you a product or service, is examining your systems and policies; and
- reduce your liability, litigation and regulatory exposure in the event that a breach does occur.
WHAT TO LOOK FOR:
When hiring counsel to conduct a security assessment, you will want to hire a firm that has expertise in all aspects of data security, including PCI compliance; expertise in drafting and compliance with privacy and data security policies and procedures; litigation experience in the data breach arena; and dealing with regulators, examiners, the media, and other third parties.
BE PROACTIVE: More breaches are coming
As we have seen from the Home Depot and Signature Systems breaches, thieves don’t care about the size of your company, only about how easy you are to hack. In other words, being too small or too big won’t protect you from their attempted intrusions.
Data breaches are going to occur – the difference is that there are some companies that prepare, and minimize their costs and exposure afterwards, and some that fail to take these prudent steps.